CVE-2026-40490

Name of the Vulnerable Software and Affected Versions AsyncHttpClient versions prior to 2.14.5 AsyncHttpClient versions prior to 3.0.9

Description When redirect following is enabled via followRedirect(true), the library forwards Authorization and Proxy-Authorization headers and Realm credentials to arbitrary redirect targets, regardless of changes to the domain, scheme, or port. This leads to credential leakage during cross-domain redirects and HTTPS-to-HTTP downgrades. Furthermore, setting stripAuthorizationOnRedirect to true does not prevent the Realm object containing plaintext credentials from being propagated, which causes the NettyRequestFactory function to re-generate credentials for Basic and Digest authentication schemes. An attacker controlling a redirect target through methods such as open redirect, DNS rebinding, or MITM on HTTP can capture Bearer tokens, Basic auth credentials, or other Authorization header values.

Recommendations Update to version 2.14.5. Update to version 3.0.9. Set stripAuthorizationOnRedirect(true) in the client configuration and avoid using Realm-based authentication while redirect following is enabled. Disable redirect following by setting followRedirect(false) and handle redirects manually with origin validation.